Changeset 28911


Ignore:
Timestamp:
2014-03-17T21:36:16+13:00 (7 years ago)
Author:
ak19
Message:

Fourth commit for security and safe cgiargs.

Location:
main/trunk/greenstone2
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • main/trunk/greenstone2/macros/query.dm

    r28898 r28911  
    111111_historypagescriptextra_{
    112112
    113 var histvalue0='_histvalue0_';
    114 var histvalue1='_histvalue1_';
    115 var histvalue2='_histvalue2_';
    116 var histvalue3='_histvalue3_';
    117 var histvalue4='_histvalue4_';
    118 var histvalue5='_histvalue5_';
    119 var histvalue6='_histvalue6_';
    120 var histvalue7='_histvalue7_';
    121 var histvalue8='_histvalue8_';
    122 var histvalue9='_histvalue9_';
    123 var histvalue10='_histvalue10_';
    124 var histvalue11='_histvalue11_';
    125 var histvalue12='_histvalue12_';
    126 var histvalue13='_histvalue13_';
    127 var histvalue14='_histvalue14_';
    128 var histvalue15='_histvalue15_';
    129 var histvalue16='_histvalue16_';
    130 var histvalue17='_histvalue17_';
    131 var histvalue18='_histvalue18_';
    132 var histvalue19='_histvalue19_';
     113var histvalue0='_histvalue0Jssafe_';
     114var histvalue1='_histvalue1Jssafe_';
     115var histvalue2='_histvalue2Jssafe_';
     116var histvalue3='_histvalue3Jssafe_';
     117var histvalue4='_histvalue4Jssafe_';
     118var histvalue5='_histvalue5Jssafe_';
     119var histvalue6='_histvalue6Jssafe_';
     120var histvalue7='_histvalue7Jssafe_';
     121var histvalue8='_histvalue8Jssafe_';
     122var histvalue9='_histvalue9Jssafe_';
     123var histvalue10='_histvalue10Jssafe_';
     124var histvalue11='_histvalue11Jssafe_';
     125var histvalue12='_histvalue12Jssafe_';
     126var histvalue13='_histvalue13Jssafe_';
     127var histvalue14='_histvalue14Jssafe_';
     128var histvalue15='_histvalue15Jssafe_';
     129var histvalue16='_histvalue16Jssafe_';
     130var histvalue17='_histvalue17Jssafe_';
     131var histvalue18='_histvalue18Jssafe_';
     132var histvalue19='_histvalue19Jssafe_';
    133133
    134134function inputQuery(value) \{
  • main/trunk/greenstone2/perllib/plugouts/BasePlugout.pm

    r28804 r28911  
    918918        my $rss_entry = "<item>\n";
    919919        $rss_entry   .= "   <title>$dc_title</title>\n";
    920     $rss_entry   .= "   <link>_httpdomain__httpcollection_/document/$oid</link>\n";
     920    $rss_entry   .= "   <link>_httpdomainHtmlsafe__httpcollection_/document/$oid</link>\n";
    921921    $rss_entry   .= "</item>";
    922922
  • main/trunk/greenstone2/runtime-src/src/recpt/basequeryaction.cpp

    r28899 r28911  
    606606    histvalue += i;
    607607    disp.setmacro(histvalue, "query", escquery);
     608    disp.setmacro(histvalue+"Jssafe", "query", encodeForJavascript(escquery));
    608609    format_user_info(cgiargs, userinfo, args, protos, logout);
    609610   
  • main/trunk/greenstone2/runtime-src/src/recpt/queryaction.cpp

    r28899 r28911  
    743743      << "<form name=\"QueryForm\" method=\"get\" action=\"_gwcgi_\">\n"
    744744      << "<input type=\"hidden\" name=\"a\" value=\"q\">\n"
    745           << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsite_\"\n"
     745          << "<input type=\"hidden\" name=\"site\" value=\"_cgiargsiteAttrsafe_\"\n"
    746746      << "<input type=\"hidden\" name=\"e\" value=\"_compressedoptions_\">\n"
    747747      << "<input type=\"hidden\" name=\"ccp\" value=\"1\">\n"
     
    13901390    decode_cgi_arg (compressedoptions);
    13911391    if (args["w"] == "utf-8") { // if the encoding was utf-8, then compressed options was utf-8, and we need unicode.
    1392     // if encoding wasn't utf-8, then compressed opotions may be screwed up, but seems to work for 8 bit encodings?
     1392    // if encoding wasn't utf-8, then compressed options may be screwed up, but seems to work for 8 bit encodings?
    13931393      compressedoptions = to_uni(compressedoptions);
    13941394    }
  • main/trunk/greenstone2/runtime-src/src/recpt/rssaction.cpp

    r28899 r28911  
    6868      << "<channel>\n"
    6969      << "  <title>_collectionname_</title>\n"
    70       << "  <link>_httpdomain__httppageabout_</link>\n"
     70      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n"
    7171      << "  <description>_collectionextra_</description>\n"
    7272      << "  <language>_cgiarglHtmlsafe_</language>\n"
     
    7979      << "  <title>_collectionname_</title>\n"
    8080      << "  <url>_iconcollection_</url>\n"
    81       << "  <link>_httpdomain__httppageabout_</link>\n"
     81      << "  <link>_httpdomainHtmlsafe__httppageabout_</link>\n"
    8282      << "  <description>_collectionextra_</description>\n"
    8383      << "</image>\n";
     
    125125   
    126126    if(!args["hostname"].empty()) {
    127       disp.setmacro("httpdomain", "Global", "http://" + encodeForURL(args["hostname"]));
     127      disp.setmacro("httpdomain", "Global", "http://" + args["hostname"]);
     128      disp.setmacro("httpdomainHtmlsafe", "Global", "http://" + encodeForHTML(args["hostname"]));
    128129    }
    129130    else { // we shouldn't have to get here
    130       disp.setmacro("httpdomain", "Global", "http://localhost:8282"); // the default used in zextra.dm. (Could perhaps default this to localhost too)
     131      text_t default_domain = "http://localhost:8282";
     132      disp.setmacro("httpdomain", "Global", default_domain); // the default used in zextra.dm. (Could perhaps default this to localhost too)
     133      disp.setmacro("httpdomain", "Global", encodeForHTML(default_domain));
    131134    }
    132135  }
  • main/trunk/greenstone2/runtime-src/src/recpt/statusaction.cpp

    r28899 r28911  
    786786      << "<pre>\n";
    787787
     788  text_t logcontent = file_tail (logfilename, 100, 1500);
     789
    788790  // note that we're expecting lines to be no more than 1500 characters on
    789791  // average - should fix this file_tail() thing sometime
    790   textout << outconvert << file_tail (logfilename, 100, 1500);
     792  textout << outconvert << encodeForHTML(logcontent);
    791793
    792794  textout << outconvert << disp << "</pre>\n"
Note: See TracChangeset for help on using the changeset viewer.